HIPAA Projects
You can use Supabase to store and process Protected Health Information (PHI). If you want to start developing healthcare apps on Supabase, reach out to the Supabase team here to sign the Business Associate Agreement (BAA).
Organizations must have a signed BAA with Supabase and have the Health Insurance Portability and Accountability Act (HIPAA) add-on enabled when dealing with PHI.
Configuring a HIPAA project
When the HIPAA add-on is enabled on an organization, projects within the organization can be configured as High Compliance. This configuration can be found in the General Project Settings page of the dashboard. Once enabled, additional security checks will be run against the project to ensure the deployed configuration is compliant. These checks are performed on a continual basis and security warnings will appear in the Security Advisor if a non-compliant setting is detected.
The required project configuration is outlined in the shared responsibility model for managing healthcare data.
These include:
- Enabling Point in Time Recovery which requires at least a small compute add-on.
- Turning on SSL Enforcement.
- Enabling Network Restrictions.
Additional security checks and controls will be added as the security advisor is extended and additional security controls are made available.